b'LIMITED AUDIT OF THE FISCAL YEAR 2007\n    FEDERAL MANAGERS\xe2\x80\x99 FINANCIAL\n     INTEGRITY ACT SECTION 2 AND\n  SECTION 4 ASSURANCE STATEMENTS\n  REPORT NUMBER: A070205/A/F/F08003\n          NOVEMBER 9, 2007\n\x0c\x0c                               RESULTS OF AUDIT\n\nIn reviewing management and systems control weaknesses reported in the\nFMFIA Section 2 and Section 4 Assurance Statement questionnaires from GSA\nsenior management, we identified that the Agency senior officials reported\nweaknesses in the following areas: Budgetary Reporting, Non-compliance with\nFederal Financial System Requirements and Internal Control Issues at the\nHeartland Region. PricewaterhouseCoopers (PwC) also identified budgetary\nreporting deficiencies regarding unfilled customer orders and undelivered\ncustomer orders as well as information systems deficiencies relating to system\naccess, segregation of duties and monitoring controls. The PwC issues will be\nreported as significant deficiencies in their audit report. The OIG audits identified\nissues relating to the Federal Information Security Management Act (FISMA).\nSpecifically, information systems tested were not adequately secured and\nrequired background investigations were not completed for contractors. Also, the\nGovernment Accountability Office (GAO) had reported relevant GSA operational\ndeficiencies.\n\nBudgetary Reporting\n\nThe Chief Financial Officer (CFO) and the Deputy CFO have identified budgetary\naccounts as an area of concern in their Fiscal Year 2007 Section 2 Assurance\nStatement questionnaires. PwC has also identified budgetary findings regarding\nundelivered orders and unfilled customer orders during their review of GSA\xe2\x80\x99s\nFinancial Statements. Specifically, during the internal control testing phase of\ntheir Audit of GSA\xe2\x80\x99s Financial Statements, PwC determined that controls\nsurrounding the Public Buildings Service (PBS) unfilled customer orders and\nundelivered orders were ineffective. As a result, PBS performed statistical\nsampling of its budgetary accounts to validate the reported year-end balances.\nIn turn, PwC performed further testing on these statistical samples to\nsubstantiate PBS\xe2\x80\x99s budgetary account balances. This issue will be classified as\na significant deficiency in the FY 2007 Financial Statement audit report.\n\nNoncompliance with Federal Financial System Requirements\n\nThe CFO, Deputy CFO, and the Director of Financial Management Systems\nissued qualified Section 4 Assurance Statements due to non-compliance with\nFederal Financial System Requirements. The rationale behind the qualification,\nin part, was a continuation of the prior year Assurance Statement reporting with\n(1) room for improvement in the area of Unfilled Customer Orders and\nObligations, (2) the lack of integrated feeder systems for Pegasys, and (3)\ninconsistent data elements from the feeder systems. Additionally, internal\ncontrols for Construction in Process were reported as complex and inefficient.\n\n\n\n\n                                         2\n\x0cAlso, the OMB Circular No. A-123 review perform by Cotton and Company LLP\nnoted that the Visual Imaging Tracking and Processing (VITAP) and Regional\nBusiness Application (RBA) systems were classified as high-risk.\n\nInternal Control Issues at Heartland Region\n\nAs reported in the Heartland Region\xe2\x80\x99s Section 2 Assurance Statement, the\nRegional Administrator issued a qualified assurance statement relating to internal\ncontrols. Specifically, the assurance statement details inadequate internal\ncontrols regarding, recoveries of prior year obligations (chargebacks) that are\ndifficult to trace through their systems to determine why the amounts are\nchargebacks. Several million dollars in chargebacks and write-offs against\nrevenue has resulted in negative revenue. Also, the Global Supply Operation, a\nnational program located in the Heartland Region, is not following Department of\nDefense\xe2\x80\x99s (DoD) guidance for inter-agency transactions. Specifically, the DoD\xe2\x80\x99s\nguidance requires that a review be performed by a DoD contracting officer prior\nto the placement of all orders over $500,000.\n\nGSA\xe2\x80\x99s Implementation of the Federal Information Security Management Act\n(FISMA)\n\nAs required by law, the OIG performed the FY 2007 review of GSA\xe2\x80\x99s progress in\nimplementing FISMA. The purpose of FISMA is to provide a framework for\nsecuring Federal information systems. Despite the GSA Chief Information\nOfficer\xe2\x80\x99s efforts to improve its information technology security program, it has not\nbeen fully effective in ensuring that risks for all applications, data repositories,\nand services within system boundaries are identified and mitigated. For\ninstance, the FY 2007 FISMA report determined that oversight of contractor-\nsupported systems was not comprehensive where systems were not secured.\nAuditors also found that configuration management should be strengthened in\nthe area of configuration settings, and Agency policies and procedures are in\nneed of improvement in some cases.\n\nThe Pegasys System, GSA\xe2\x80\x99s web-based core financial system of record, was\nselected for review as part of the OIG\xe2\x80\x99s annual FISMA audit. As a result of the\nongoing operational audit of Pegasys and FISMA related testing, the OIG issued\nan interim report A070094/B/TF080001, Pegasys Security Controls. This interim\nreport found that Pegasys has security control issues in several areas:\nconfiguration management, system and communications protection, web\napplication security, system and services acquisition, and awareness and\ntraining. Due to the critical nature of these issues, the OIG issued the interim\nreport to management.\n\nFurthermore, as noted in the OIG\xe2\x80\x99s FY 2007 FISMA Review of GSA\xe2\x80\x99s Information\nTechnology Security Program, controls currently in place and those planned\nunder HSPD-12 will not ensure that contractor background investigations are\n\n\n                                           3\n\x0c\x0c                    LIMITED AUDIT OF THE FISCAL YEAR 2007\n                        FEDERAL MANAGERS\xe2\x80\x99 FINANCIAL\n                         INTEGRITY ACT SECTION 2 AND\n                      SECTION 4 ASSURANCE STATEMENTS\n                      REPORT NUMBER: A070205/A/F/F08003\n                              NOVEMBER 9, 2007\n\n\nReport Distribution                                         Copies\n\nAdministrator (A)                                             3\n\nDeputy Administrator (AD)                                     3\n\nInspector General (J)                                         1\n\nDeputy Inspector General (JD)                                 1\n\nAssistant Inspector General for Auditing (JA)                 2\n\nAssistant Inspector General for Investigations (JI)           1\n\nDirector, Audit Operations Staff (JAO)                        1\n\nAudit Follow-Up and Evaluation Branch (BECA)                  1\n\n\n\n\n                                          5\n\x0c'